Time-stamping

Certificates, CRLs, and OCSP entries shall contain time and date information about the Certificate, CRL, or OCSP information. Such information may not be cryptographic based.

40 7. CERTIFICATE, CRL, AND OCSP PROFILES

Globe Hosting currently offers a portfolio of digital certificates and related products that can be used in a way that addresses the needs of users for secure personal and business

communications.

Globe Hosting offers a range of distinct certificate types. The different certificate types have differing intended usages and differing policies. Pricing and subscriber fees for the certificates are made available on the relevant official Globe Hosting websites. The maximum warranty

associated with each certificate is set forth in Appendix E of this CPS.

As the suggested usage for a digital certificate differs on a per application basis, Subscribers are urged to appropriately study their requirements for their specific application before applying for a specific certificate.

Globe Hosting may update or extend its list of products, including the types of certificates it issues, as it sees fit. The publication or updating of the list of Globe Hosting products creates no claims by any third party. If necessary, Globe Hosting shall amend this CPS upon the inclusion of a new certificate product in the Globe Hosting hierarchy. The CPS shall usually be made public on the official Globe Hosting websites at least seven (7) days prior to the offering such new product.

Suspended or revoked certificates are appropriately referenced in the CRL and/or OCSP.

7.1. Certificate profile

Globe Hosting certificates are general purpose and may be used without restriction on

geographical area or industry. In order to use and rely on a Globe Hosting certificate, the relying party must use X.509v3 compliant software.

7.1.1. Version number(s)

All Globe Hosting certificates are X.509 version 3 certificates.

7.1.2. Certificate extensions

Globe Hosting uses the standard X.509, version 3 to construct digital certificates for use within the Globe Hosting PKI. X.509v3 allows a CA to add certain certificate extensions to the basic certificate structure. Globe Hosting uses a number of certificate extensions for the purposes intended by X.509v3 as per Amendment 1 to ISO/IEC 9594-8, 1995. X.509v3 is the standard of the International Telecommunications Union for digital certificates.

7.1.2.1. Key Usage Extension field

Globe Hosting certificates include key usage extension fields to specify the purposes for which the certificate may be used and to technically limit the functionality of the certificate when used with X.509v3 compliant software. Reliance on key usage extension fields is dependent on correct software implementations of the X.509v3 standard and is outside of the control of Globe Hosting.

Globe Hosting assumes that user software that is claimed to be compliant with X.509v3 and other applicable standards enforces the requirements set out in this CPS. Globe Hosting cannot warrant that any such user software will support and enforce the controls required by Globe Hosting. All software use is left to the user’s sole discretion.

The possible key purposes identified by the X.509v3 standard are the following:

a) Digital signature, for verifying digital signatures that have purposes other than those identified in b), f) or g), that is, for entity authentication and data origin authentication with integrity

b) Non-repudiation, for verifying digital signatures used in providing a nonrepudiation service which protects against the signing entity falsely denying some action (excluding certificate or CRL signing, as in f) or g) below)

41 c) Key encipherment, for enciphering keys or other security information, e.g. for

key transport

d) Data encipherment, for enciphering user data, but not keys or other security information as in c) above

e) Key agreement, for use as a public key agreement key

f) Key certificate signing, for verifying a CA’s signature on certificates, used in CA certificates only

g) Encipher only, public key agreement key for use only in enciphering data when used with key agreement

h) Decipher only, public key agreement key for use only in deciphering data when used with key agreement

7.1.2.2. Extension Criticality Field

The Extension Criticality field denotes two separate uses for the Key Usage field. If the extension is noted as critical, then the key in the certificate is only to be applied to the stated uses. To use the key for another purpose in this case would break the issuer’s policy. If the extension is not noted as critical, the Key Usage field is simply there as an aid to help applications find the proper key for a particular use.

7.1.2.3. Basic Constraints Extension

The Basic Constraints extension specifies whether the subject of the certificate may act as a CA or only as an end-entity. Reliance on basic constraints extension field is dependent on correct software implementations of the X.509v3 standard and is outside of the control of Globe Hosting.

7.1.3. Algorithm object identifiers

Globe Hosting uses the UTN-USERFIRST-Hardware and AddTrust External CA Root for its Root CA Certificates. This allows Globe Hosting to issue highly trusted digital certificates by inheriting the trust level associated with the UTN root certificate (named “UTN-USERFIRST-Hardware”) and the AddTrust root certificate (named “AddTrust External CA Root”). The high-level

representation of the Globe Hosting PKI set forth in Appendix C is used to illustrate the hierarchy utilized.

7.1.4. Name forms

Globe Hosting Certificates following the naming policy set forth in Section 3.1.1.

7.1.5. Name constraints No Stipulation

7.1.6. Certificate policy object identifier

Certificate Policy (CP) is a statement of the issuer that corresponds to the prescribed usage of a digital certificate within an issuance context. A policy identifier is a number unique within a specific domain that allows for the unambiguous identification of a policy, including a certificate policy.

Specific Globe Hosting certificate profiles are provided in Appendix D.

7.1.7. Usage of Policy Constraints extension No Stipulation

7.1.8. Policy qualifiers syntax and semantics

Globe Hosting usually includes information in the Policy Qualifier field of the Certificate Policy extension that puts Relying Parties on notice of the location of its CPS. This field usually includes a URL that points the Relying Party to the CPS where they can find out more about the limitations on liability and other terms and conditions governing the use of the Certificate.

7.1.9. Processing semantics for the critical Certificate Policies extension

42 No Stipulation.

7.2. CRL profile

Globe Hosting manages and makes publicly available directories of revoked certificates using Certificate Revocation Lists (CRLs).. All CRLs issued by Globe Hosting are X.509v2 CRLs, in particular as profiled in RFC3280.

7.2.1. Version number(s)

CRLs conform to RFC 3280 and contain the basic fields listed below:

Version [Version 1]

Issuer Name CountryName = [Root Certificate Country Name], OrganizationName=[Root Certificate Organization], CommonName=[Root Certificate Common Name]

[UTF8String encoding]

This Update [Date of Issuance]

Next Update [Date of Issuance + 24 hours]

Revoked Certificates CRL Entries

Certificate Serial Number [Certificate Serial Number]

Date and Time of Revocation [Date and Time of Revocation]

7.2.2. CRL and CRL entry extensions No Stipulation.

7.3. OCSP profile

OCSP is way for users to obtain information about the revocation status of a Globe Hosting issued Certificate. Globe Hosting uses OCSP to provide information about all of its certificates.

OCSP responders conform to RFC 2560.

7.3.1. Version Number(s)

Globe Hosting uses Version 1 of the OCSP specification as defined by RFC2560.

7.3.2. OCSP Extensions

Globe Hosting’s uses timestamp and validity periods to establish the accuracy of each OCSP response. Globe Hosting does not use a cryptographic nonce in connection with its OCSP services. Instead, local time should be used by participants to ensure the freshness of the OCSP response.

8. COMPLIANCE AUDIT AND OTHER ASSESSMENTS

The practices specified in this CPS have been designed to meet or exceed the requirements of generally accepted and developing industry standards including the AICPA/CICA WebTrust Program for Certification Authorities, ANS X9.79:2001 PKI Practices and Policy Framework, and other industry standards related to the operation of CAs.

8.1. Frequency or Circumstances of Assessment

43 An annual audit is performed by an independent external auditor to assess Globe Hosting’s compliancy with the AICPA/CICA WebTrust program for Certification Authorities.

8.2. Identity/Qualifications of Assessor

Globe Hosting’s audits are performed by a public accounting firm that:

• Is a highly reputable accredited accounting firm that is a member of the American Institute of Certified Public Accountants (AICPA)

• Has significant quality assurance mechanisms, including peer review, competency testing, and other measures.

• Abides by and conforms with the applicable standards and best practices as set forth by the relevant standards committees.

• Is knowledgeable about the operations of the CA and has an expertise in public key security technology, data centers, personnel controls, and other relevant fields of interest.

• Is knowledgeable about the operations of the CA and has an expertise in public key security technology.

8.3. Assessor’s Relationship to Assessed Entity

The Assessor is independent of Globe Hosting and does not have any financial interest or course of dealings with Globe Hosting that could foreseeably create a significant bias in the Assessor’s evaluation.

8.4. Topics Covered by Assessment

Topics covered by the annual audit include but are not limited to the following:

• CA business practices disclosure

• Service integrity

• CA environmental controls

8.5. Actions Taken as a Result of Deficiency

If any material noncompliance or deficiencies are discovered during an audit, then Globe Hosting shall create and implement a plan to cure such deficiencies or noncompliance. The plan shall be created by Globe Hosting management with input from the auditing agent. In the event that the deficiency cannot be resolved, Globe Hosting may revoke any certificates affected by deficiency or noncompliance.

8.6. Communication of Results

The results of each audit are reported directly to Globe Hosting management and any other appropriate entities that may be entitled to a copy of the results by law, regulation, or agreement.

Audit results may also be published by Globe Hosting in Globe Hosting’s sole and absolute discretion.

44 9. OTHER BUSINESS AND LEGAL MATTERS

This part of the CPS describes the business matters of Globe Hosting and legal representations, warranties and limitations associated with Globe Hosting digital certificates.

9.1. Fees

9.1.1. Certificate Issuance or Renewal Fees

Globe Hosting charges Subscriber fees for some of the certificate services it offers, including issuance, and renewal. Such fees are detailed on the official Globe Hosting websites (www.GlobeSSL.com). Globe Hosting retains its right to affect changes to such fees.

9.1.2. Certificate Access Fees

Currently, Globe Hosting does not charge a fee for Certificate Access, but reserves the right to establish and charge a reasonable fee for access to its database of certificates. Charges may be incurred for extensive or time consuming searches. Fees for such extensive used are negotiated on an individual basis.

9.1.3. Revocation or Status Information Access Fees

Globe Hosting does not charge fees for the revocation of a certificate or for a Relying Party to check the validity status of a Globe Hosting issued certificate using its OCSP.

9.1.4. Fees for Other Services

Fees for other services offered by Globe Hosting are set either within the individual agreements with the parties or are detailed on the official Globe Hosting websites (www.GlobeSSL.com) depending on the Services required. Fees may be discussed for other services by contacting Globe Hosting at:

Globe Hosting Certification Authority Globe Hosting, Inc.

501 Silverside Road, Suite 105, Wilmington,

DE 19809, County of New Castle, United States of America

or by using the contact telephone numbers and addresses listed on any one of the websites listed.

9.1.5. Refund Policy

Globe Hosting offers a 30-day refund policy. During a 30-day period (beginning when a certificate is first issued), the Subscriber may request a full refund for their certificate. Under such

circumstances, the original certificate may be revoked and a refund provided to the applicant.

Globe Hosting is not obliged to refund a certificate after the 30-day reissue policy period has expired.

9.2. Financial Responsibility 9.2.1. Insurance Coverage

Globe Hosting maintains errors and omissions insurance coverage.

9.2.2. Other Assets No Stipulation

9.2.3. Insurance or Warranty Coverage for End-Entities

If Globe Hosting was negligent in issuing a digital certificate that resulted in a loss to a Relying Party, Relying Party may be eligible under Globe Hosting’s certificate warranty to receive reimbursement for any damages caused, subject to the limitations of Globe Hosting’s insurance policy. Except to the extent of willful misconduct, the liability of Globe Hosting is limited to the

45 negligent issuance of certificates. The cumulative maximum liability of Globe Hosting to all applicants, subscribers and relying parties for each certificate is set forth in the table in Appendix E.

Under Globe Hosting’s warranty a covered person may only receive the maximum payment per online transaction listed in Schedule E ("Incident Limit") for which the Covered Person claims there was a breach of the Globe Hosting Warranty (each an "Incident"). If multiple Covered Persons are affiliated as to a common entity, then those multiple Covered Persons collectively are eligible to receive the maximum amount per Incident. Any payments to Covered Persons shall decrease by an amount equal to the sum of such payments the relevant Aggregate Limit

available to any party for future payments for any claims relating to that Digital Certificate. For example, if a Digital Certificate carries a Payment Limit of $10,000 and a per incident limit of

$1,000, then Covered Persons can receive payments in accordance with this warranty for up to

$1,000 per Incident until a total of $10,000 has been paid in the aggregate for all claims by all parties related to that Digital Certificate. Upon renewal of any Digital Certificate, the total claims paid for such Digital Certificate shall be reset to zero dollars.

Globe Hosting certificates may only be used in connection with data transfer and transactions having a US dollar (US$) value no greater than the max transaction value associated with the certificate and detailed in the table in Appendix E of this CPS.

9.3. Confidentiality of Business Information

Globe Hosting observes applicable rules on the protection of personal data deemed by law or the Globe Hosting privacy policy to be confidential.

9.3.1. Scope of Confidential Information

Globe Hosting keeps the following types of information confidential and maintains reasonable controls to prevent the exposure of such records to non-trusted personnel.

• Executed Subscriber agreements.

• Certificate application records and documentation submitted in support of certificate applications whether successful or rejected.

• Transaction records and financial audit records.

• External or internal audit trail records and reports, except for WebTrust audit reports that may be published at the discretion of Globe Hosting.

• Contingency plans and disaster recovery plans.

• Internal tracks and records on the operations of Globe Hosting infrastructure, certificate management and enrolment services and data.

9.3.2. Information Not Within the Scope of Confidential Information Subscribers acknowledge that revocation data of all certificates issued by the Globe Hosting CA is public information. Subscriber application data marked as “Public” in the relevant subscriber agreement and submitted as part of a certificate application is published within an issued digital certificate in accordance with this CPS.

9.3.3. Responsibility to Protect Confidential Information

All personnel in trusted positions handle all information in strict confidence. Globe Hosting is not required to and does not release any confidential information, unless otherwise required by law, without an authenticated, reasonably specific request by an authorized party specifying:

• The party to whom Globe Hosting owes a duty to keep information confidential.

• The party requesting such information.

• A court order, if any.

46 9.4. Privacy of Personal Information

9.4.1. Privacy Plan

Globe Hosting has implemented a privacy policy, which complies with this CPS. The Globe Hosting privacy policy is published at the Globe Hosting repository at

www.GlobeSSL.com/repository.

9.4.2. Information Treated as Private

Any information about Subscribers that is not publicly accessible or available through the content of the issued certificate, a CRL, or the OCSP is treated as private information.

9.4.3. Information Not Deemed Private

Certificates, CRLs, the OCSP, and the information appearing in them are not considered private.

9.4.4. Responsibility to Protect Private Information

All Globe Hosting employees receiving private information are responsible to protect such information from compromise and disclosure to third parties. Each party shall use the same degree of care that it exercises with respect to its own information of like importance, but in no event shall the degree of care be less than a reasonable degree of care.

9.4.5. Notice and Consent to Use Private Information

Unless otherwise stated in this CPS, the applicable privacy policy, or by agreement, a party will not use private information without the subject’s express written consent.

9.4.6. Disclosure Pursuant to Judicial or Administrative Process

Globe Hosting shall be entitled to disclose any confidential or private information, if Globe Hosting believes, in good faith, that the disclosure is necessary in response to subpoenas and search warrants or if disclosure is necessary in response to a pending legal proceeding.

9.4.7. Other Information Disclosure Circumstances No Stipulation.

9.5. Intellectual Property Rights

Globe Hosting or its partners or associates own all intellectual property rights associated with its databases, web sites, Globe Hosting digital certificates and any other publication originating from Globe Hosting including this CPS.

9.5.1. Certificates

Certificates are the property of Globe Hosting. Globe Hosting gives permission to reproduce and distribute certificates on a nonexclusive, royalty-free basis, provided that they are reproduced and distributed in full. Globe Hosting reserves the right to revoke the certificate at any time. Private and public keys are property of the subscribers who rightfully issue and hold them. All secret shares (distributed elements) of the Globe Hosting private key remain the property of Globe Hosting.

Subscribers represent and warrant that when submitting to Globe Hosting and using a domain and distinguished name (and all other certificate application information), they do not interfere with or infringe any rights of any third parties in any jurisdiction with respect to the third party’s trademarks, service marks, trade names, company names, or any other intellectual property right, and that the subscriber is not seeking to use the domain and distinguished names for any

unlawful purpose, including, without limitation, tortious interference with contract or prospective business advantage, unfair competition, injuring the reputation of another, and confusing or misleading a person, whether natural or incorporated.

47 9.5.2. Copyright

This CPS is copyrighted by Globe Hosting. All rights reserved.

No part of this publication may be reproduced, stored in or introduced into a retrieval system, or transmitted, in any form or by any means (electronic, mechanical, photocopying, recording or otherwise) without prior written permission of Globe Hosting. Requests for any other permission to reproduce this Globe Hosting document (as well as requests for copies from Globe Hosting) must be addressed to:

Globe Hosting Certification Authority Globe Hosting, Inc.

501 Silverside Road, Suite 105, Wilmington,

DE 19809, County of New Castle, United States of America 9.5.3. Trademarks

“Globe Hosting”, “Globe Hosting CA”, “Globe SSL”, “Globe SSL CA” and other terms in this CPS are trademarks of Globe Hosting and may only be used by permission.

9.5.4. Infringement

Although Globe Hosting will provide all reasonable assistance, certificate subscribers shall defend, indemnify, and hold Globe Hosting harmless for any loss or damage resulting from any such interference or infringement and shall be responsible for defending all actions on behalf of Globe Hosting.

9.6. Representations and Warranties

Subscribers, relying parties and any other parties shall not interfere with or reverse engineer the technical implementation of Globe Hosting PKI services, including, but not limited to, the key generation process, the public web site, and the Globe Hosting repositories except as explicitly permitted by this CPS or upon prior written approval of Globe Hosting. Failure to comply with this as a subscriber will result in the revocation of the Subscriber's Digital Certificate without further

Subscribers, relying parties and any other parties shall not interfere with or reverse engineer the technical implementation of Globe Hosting PKI services, including, but not limited to, the key generation process, the public web site, and the Globe Hosting repositories except as explicitly permitted by this CPS or upon prior written approval of Globe Hosting. Failure to comply with this as a subscriber will result in the revocation of the Subscriber's Digital Certificate without further

In document Globe Hosting Certification Authority Globe Hosting, Inc. 501 Silverside Road, Suite 105, Wilmington, DE 19809, County of New Castle, United States (Page 39-62)